• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Why SSL Is So Slow to Catch On................

#1
.......................... a lot of it is predator web hosts lol!! My shared server host wants $150 for the cert and installation!! What?! I asked if they were going to support Let's Encrypt anytime soon, and he said he could get me one from them but the $150 was still the cost!! What?!

I have delved into a VPS host, and have learned a lot in a short time. I believe I have it as secured as I can get it, using FirewallD, Fail2ban and a few other goodies. I have done some vulnerability testing, and have only 3 needed ports/services open. They are all set up with 2fa when using them, ssh is key only. I am going to start moving my few sites over soon, and start hosting them myself.

Any wise words of wisdom for a fresh new admin? All pointers appreciated!
 

ichpen

Well-known member
#2
.......................... a lot of it is predator web hosts lol!! My shared server host wants $150 for the cert and installation!! What?! I asked if they were going to support Let's Encrypt anytime soon, and he said he could get me one from them but the $150 was still the cost!! What?!

I have delved into a VPS host, and have learned a lot in a short time. I believe I have it as secured as I can get it, using FirewallD, Fail2ban and a few other goodies. I have done some vulnerability testing, and have only 3 needed ports/services open. They are all set up with 2fa when using them, ssh is key only. I am going to start moving my few sites over soon, and start hosting them myself.

Any wise words of wisdom for a fresh new admin? All pointers appreciated!
Sure, closed ports won't protect you from 99% of vulnerabilities. PHP is evil (necessary but evil), Wordpress just as much, Wordpress Plugins are twice so. There are plenty of hardening tutorials out there, but from experience most exploits 0 day or otherwise come from php and/or platform specific vulnerabilities whether that's WP, XF or pick your platform rather than actual viruses/rootkits and/or server or kernel exploits. Keep snapshots and use an HIDS (host intrusion detection system) for when you do get hacked because it happens to the best of us and at least you'll know what files have been compromised quickly.
 

ichpen

Well-known member
#4
Good stuff, thanks! Just personal sights anyway, but time to learn the ropes. No way I'm paying that much for a near-free certificate!
There's too many perils to list but it's also a great way to learn in a trial by fire sort of way. Google linux hardening or whatever distro you're running. Lots of guides out there. But again keep daily backups of everything in case you do get compromised.
 
#5
There's too many perils to list but it's also a great way to learn in a trial by fire sort of way. Google linux hardening or whatever distro you're running. Lots of guides out there. But again keep daily backups of everything in case you do get compromised.
CentOS with Linode. Damn near as cheap as my shared host is! They have great tutorials too!
 
#9
Linode has great tutorials. I've spent 2 days tightening it up, and feel good about it. Of course, anyone can get hacked, but not much value on my 3 or 4 personal sites. And I'm learning a lot in the process.
 

Jake B.

Well-known member
#10
For sure have heard good things about it. Not sure how much focus on security there is with these automation scripts. I know the debian/ubuntu ones (easyengine, isp config et al) are super duper for spinning up configs but fall and roll around on their faces when it comes to security.
I've only used it a couple times, and it's great. But @eva2000 can probably tell you better than I can :)
 

Pierce

Well-known member
#11
For sure have heard good things about it. Not sure how much focus on security there is with these automation scripts. I know the debian/ubuntu ones (easyengine, isp config et al) are super duper for spinning up configs but fall and roll around on their faces when it comes to security.
@eva2000 is a member of this community and also puts out announcements of security updates, what to do, kernel updates etc. Its like having your own semi managed service for free! - end advert
 

WSWD

Well-known member
#12
Of course, anyone can get hacked, but not much value on my 3 or 4 personal sites.
They don't care about your sites...most hackers could care less, other than some advertising for their little group. What they do care about is gaining access to your VPS and sending out massive amounts of spam or DDoS attacks until your provider kicks you out. Ultimately, that's what you need to worry about. So don't take security lightly just because they are small personal sites.
 
#13
They don't care about your sites...most hackers could care less, other than some advertising for their little group. What they do care about is gaining access to your VPS and sending out massive amounts of spam or DDoS attacks until your provider kicks you out. Ultimately, that's what you need to worry about. So don't take security lightly just because they are small personal sites.
Understood. Thank you.
 

ENF

Well-known member
#15
For sure have heard good things about it. Not sure how much focus on security there is with these automation scripts. I know the debian/ubuntu ones (easyengine, isp config et al) are super duper for spinning up configs but fall and roll around on their faces when it comes to security.
We chose Centminmod as a base environment and currently all of our servers (6) are running this now. We have made various improvements, mainly around security & logging. The actual performance out of the box doesn't need any adjustment for a small to medium sized site. Lots of stuff included that you can enable or choose not use for NGINX and other tools.

Security, should never be automated. But, at least Centminmod puts in some basic configuration options to help get people on the right track. As mentioned elsewhere, Centminmond's site has great tutorials and how-to's for the inexperienced administrator. (among other sites as well)

(yeah, sounds like a promotion, but we saved a lot of time and effort in choosing Centminmod as a base config to build upon. More time to focus on other stuff.)
 

Anthony Parsons

Well-known member
#16
Any wise words of wisdom for a fresh new admin? All pointers appreciated!
Set up a test server and trial the hell out of things before you go further.

To be totally honest, it is near impossible to hack a server. Like mentioned above, its usually exploits in the CMS you run. Any linux server with:
  1. Disable password login and replace with SSH key,
  2. Install fail2ban so you can jail nasties,
  3. Firewalld is simple and effective to keep all ports closed, other than those running software and secured as such. CSF is nicer if you want to do more,
  4. Bad bot blocker for NGINX setup: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
  5. Use cloudflare (You get enterprise DDOS protection, CDN and full crypto - FREE)
I don't use centminmod, and the reasons are various:
  • Bloated installation of NGINX for what defeats the purpose of NGINX' simplicity,
  • Its a personal project. If George fell over dead tomorrow, decided he'd had enough or otherwise that life throws at us all, CentminMod is dead in the water with him.
  • Its an increased risk compared to more stable resources.
Someone dies, quits or otherwise at NGINX, PHP or MariaDB, so forth... everything keeps going forward with security and stability.

Running on a single server, you DO NOT want memcached installed. Provides little to no benefit when benchmarked, and with SSD RAID nowadays, is more hinderance to the process. Absolutely essential IF running a server stack though.

NGINX, PHP and MariaDB are the least of your troubles. Email is the headache. Setting up functional email to send and receive, you will spend more time trying to achieve this than anything else. A simple way around, a piece I wrote the other week: https://centosnoob.com/email-web-server-iredmail-nginx-mariadb-10-x-php-7-x/144/

Always tweak just one thing, measure, look for faults and weird behaviour, then tweak further settings.

DO NOT copy and paste settings from the web that you first do not fully understand what they do or the impact of the setting on your server and users.

There is a lot of learning.

I run a cluster of servers for myself and clients that I setup from scratch using either Linode, DigitalOcean and for Australian installs, BinaryLane as they run a similar setup to Linode and DigitalOcean. Learn and understand the basics, understand everything you do.

Mine run:
  1. Centos 7 Latest Stable
  2. PHP 7.x Latest Stable
  3. MariaDB 10.x Latest Stable
  4. NGINX Latest Stable, Sometimes Mainline
  5. NGX_Pagespeed
  6. Fail2Ban
  7. FirewallD
  8. iRedMail for one master mail server that everything uses, postfix at each IF software needs to mail out.
LESS IS MORE. Goodluck.
 
Last edited:

eva2000

Well-known member
#17
Its a personal project. If George fell over dead tomorrow, decided he'd had enough or otherwise that life throws at us all, CentminMod is dead in the water with him.
Somewhat true though Centmin Mod is open source project https://github.com/centminmod/centminmod so folks can fork it and do what they what with it etc. I'm heavily invested in Centmin Mod and eat my own dog food and have Centmin Mod running on 120+ servers of mine :)

Bloated installation of NGINX for what defeats the purpose of NGINX' simplicity,
Centmin Mod isn't just an Nginx installer, it's a full LEMP environment auto installer and differs from standard Nginx as outlined at https://community.centminmod.com/threads/explaining-what-centmin-mod-is.8181/#post-46152. And performance wise Centmin Mod Nginx will handily beat any standard Nginx distro install out of the box setup for sure - Centmin Mod Nginx is all about performance and features availability so no it ain't bloated in reference to performance. But yes Centmin Mod Nginx does install more Nginx modules that typical Nginx distro install to expand Nginx's available feature set.

Centmin Mod Nginx is flexible you can minimise nginx modules installed via persistent config file overridden variables outlined at FAQ item 31

Centmin Mod Nginx supports HTTP/2 based HTTPS for better performance utilising OpenSSL 1.0.2/1.10 branch and LibreSSL 2.4/2.5 crypto libraries and end user can switch between them at their choosing. Standard CentOS based Nginx distro installs will not support HTTP/2 out of the box due to CentOS still using OpenSSL 1.0.1 branch without ALPN protocol support so HTTPS will be slower over HTTP 1.1 instead of HTTP/2 via OpenSSL 1.0.2/1.1.0 or LibreSSL 2.4/2.5
Its an increased risk compared to more stable resources.
I've been running Centmin Mod on 120+ servers for past 6 yrs now without issue though yes there is some risk for stability due to using Nginx 1.11 mainline branch though it's also the branch Nginx officially recommends over 1.10 stable as Nginx 1.11 has ALL security and bug fixes while Nginx 1.10 stable has only critical security and bug fixes not ALL of them.
 
Last edited:

Anthony Parsons

Well-known member
#18
Standard CentOS based Nginx distro installs will not support HTTP/2 out of the box due to CentOS still using OpenSSL 1.0.1 branch without ALPN protocol support so HTTPS will be slower over HTTP 1.1 instead of HTTP/2 via OpenSSL 1.0.2/1.1.0 or LibreSSL 2.4/2.5
Yer, updating to 1.0.2k is usually one of the first things I do on a server. A pretty simple task though, and agreed, important one.

I didn't think the 1.1.x branch was even compatible with Centos 7?
 

Anthony Parsons

Well-known member
#19
My shared server host wants $150 for the cert and installation!! What?! I asked if they were going to support Let's Encrypt anytime soon, and he said he could get me one from them but the $150 was still the cost!! What?!
Lets encrypt is super simple to install if you have root access, and you can totally do it yourself without paying your host anything if you have root access to your server. If shared... you're screwed. Lets encrypt also requires a server with approximately 768Mb minimum RAM to run the python loader. Lets encrypt is not however suitable if you run an email server, as the CA cert for Lets Encrypt is not considered a trusted source and will cause anyone sending to your server email to bounce when requiring a trusted TLS connection (i.e. many corporate networks, some Government agencies, so forth)